Fixes from mount move testing (#14492)

* Add validation, fix docs * add changelog * fmt fix * Update vault/logical_system.go Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update vault/logical_system.go Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update vault/logical_system_test.go Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update vault/logical_system_test.go Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2025-10-29 09:42:25 +00:00 · 2022-03-15 11:11:23 -07:00
parent a915c9dc10
commit 0cb4e1621a
4 changed files with 43 additions and 1 deletions
--- a/changelog/mount-migration.txt
+++ b/changelog/mount-migration.txt
@@ -0,0 +1,3 @@
+```release-note:feature
+**Mount Migration**: Vault supports moving secrets and auth mounts both within and across namespaces.
+```
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -1201,6 +1201,13 @@ func (b *SystemBackend) handleRemount(ctx context.Context, req *logical.Request,
 			logical.ErrInvalidRequest
 	}

+	if strings.Contains(fromPath, " ") {
+		return logical.ErrorResponse("'from' path cannot contain whitespace"), logical.ErrInvalidRequest
+	}
+	if strings.Contains(toPath, " ") {
+		return logical.ErrorResponse("'to' path cannot contain whitespace"), logical.ErrInvalidRequest
+	}
+
 	fromPathDetails := b.Core.splitNamespaceAndMountFromPath(ns.Path, fromPath)
 	toPathDetails := b.Core.splitNamespaceAndMountFromPath(ns.Path, toPath)

--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@@ -995,6 +995,38 @@ func TestSystemBackend_remount_nonPrintable(t *testing.T) {
 	}
 }

+func TestSystemBackend_remount_spacesInFromPath(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = " foo / "
+	req.Data["to"] = "bar"
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `'from' path cannot contain whitespace` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
+func TestSystemBackend_remount_spacesInToPath(t *testing.T) {
+	b := testSystemBackend(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "remount")
+	req.Data["from"] = "foo"
+	req.Data["to"] = " bar / "
+	req.Data["config"] = structs.Map(MountConfig{})
+	resp, err := b.HandleRequest(namespace.RootContext(nil), req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["error"] != `'to' path cannot contain whitespace` {
+		t.Fatalf("bad: %v", resp)
+	}
+}
+
 func TestSystemBackend_leases(t *testing.T) {
 	core, b, root := testCoreSystemBackend(t)

--- a/website/content/docs/commands/auth/move.mdx
+++ b/website/content/docs/commands/auth/move.mdx
@@ -25,7 +25,7 @@ method.**
 Move the existing auth method at ns1/approle/ to ns2/new-approle/:

 ```shell-session
-$ vault auth move ns1/approle/ ns2/new-approle/
+$ vault auth move ns1/auth/approle/ ns2/auth/new-approle/
 ```

 ## Usage